pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: R certificate issue
On 06/16/17 01:38, coypu%sdf.org@localhost wrote:
I think we need to should teach curl to look in the right place.
It appears it has an option --with-ca-fallback=yes which might have the
expected behaviour, as it comes with the description:
checking whether to use builtin CA store of SSL library...
(So something like ``CONFIGURE_ARGS+= --with-ca-fallback=yes'' in curl's
makefile, and verifying that this line changes from 'no' to 'yes')
it looks like it will use openssl's code and certificates to validate if
an earlier option doesn't work.
And being a functional change, bump PKGREVISION :-)
If that fails we can pass it a CA_PATH, pkgsrc/*/mozilla-rootcerts
SSLDIR might contain the right logic for where the certificates are
expected to be.
I tried adding --with-ca-fallback and it made no difference. I then
doubled back to reexamine the problem.
It looks like I got some bad empirical data from my colleague on manual
curl downloads. Something in his environment, I think.
When I tried to reproduce his results, I saw what the real issue is:
Linux sciprog2.ceas bacon ~ 434: (pkgsrc): which curl
/sharedapps/pkg-2017Q1/bin/curl
Linux sciprog2.ceas bacon ~ 435: (pkgsrc): curl
https://cran.r-project.org/CRAN_mirrors.csv
curl: (60) SSL certificate problem: self signed certificate in
certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
The curl that ships with CentOS accepts the certificate by default, though.
Linux sciprog2.ceas bacon ~ 439: (pkgsrc): /usr/bin/curl
https://cran.r-project.org/CRAN_mirrors.csv | head -n 3
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:--
0"Name","Country","City","URL","Host","Maintainer","OK","CountryCode","Comment"
"0-Cloud
[https]","0-Cloud","0-Cloud","https://cloud.r-project.org/","Automatic
redirection to servers worldwide, currently sponsored by
Rstudio","winston # stdout.org",1,"us","secure_mirror_from_master"
"0-Cloud","0-Cloud","0-Cloud","http://cloud.r-project.org/","Automatic
redirection to servers worldwide, currently sponsored by
Rstudio","winston # stdout.org",1,"us","secure_mirror_from_master"
100 24698 100 24698 0 0 28732 0 --:--:-- --:--:-- --:--:--
88207
curl: (23) Failed writing body (4096 != 8314)
And again, we can make pkgsrc curl work by forcing it to use the Linux
certificates.
I think it's reasonable to reject self-signed certificates by default,
so I wouldn't argue for any changes here. I'm just raising awareness
about the issue.
I'd personally lean toward patching R's curl downloads so they accept
self-signed certificates. Then R will work out of the box without
impacting security anywhere else.
--
Earth is a beta site.
Home |
Main Index |
Thread Index |
Old Index